Your valid home address is used to determine which NY State Senator Represents you.

Apt/Suite/Floor (Optional)

City *

State *

Postal Code *

Home address is used to determine the senate district in which you reside. Your support or opposition to this bill is then shared immediately with the senator who represents you.

Optional services from the NY State Senate:

Send me alerts for this bill. I can unsubscribe at any time. Learn more.

Create an account. An account allows you to officially support or oppose key legislation, sign petitions with a single click, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Include a custom message for your Senator? (Optional)

Enter a message to your senator. Many New Yorkers use this to share the reasoning behind their support or opposition to the bill. Others might share a personal anecdote about how the bill would affect them or people they care about.

Bill Amendments

S5946 - Details

S5946 - Summary

Directs the commissioner of the division of homeland security and emergency services to work with other experts who maintain experience and knowledge in the area of cyber security to develop a cyber security action plan for New York state.

S5946 - Sponsor Memo

BILL NUMBER: S5946
TITLE OF BILL :
An act to amend the executive law, in relation to a cyber security
action plan
PURPOSE :
To develop a cyber security action plan that will create a
comprehensive and effective strategy to provide meaningful cyber
security for New York, its state agencies, its public authorities, its
assets, its infrastructure, its local governments, its private sector
businesses, its not-for-profit corporations and individuals.
SUMMARY OF SPECIFIC PROVISIONS :
Section one amends the executive law by adding a new section 719,
requiring the development of a cyber security action plan, with
findings and recommendations to be reported to the Legislature and the
Governor.
The team comprising the cyber security action plan, will make
recommendations regarding the establishment of a new state office of
cyber security. They will also make recommendations to create, within
the new office of cyber security, a cyber security defense unit, cyber

incident response teams, and a cyber education and attack prevention
unit. This section also requires the state office to submit an annual
report and permits the division of homeland security and emergency
services to charge non-governmental entities for the reasonable cost
of services.
Section two is the effective date.
JUSTIFICATION :
According to such entities as the United States Department of Homeland
Security, Interpol and the New York State White Collar Crime Task
Force, cybercrime is a pervasive and rapidly expanding threat. New
York state is particularly at risk to cybercrime due to its status as
a global hub of international business and commerce. As, most major
national and international banks, insurance companies and brokerage
houses also have headquarters or a significant presence within the
state, such present a particularly attractive target to those who wish
to engage in cyber crime or cyber terrorism.
Through the development of a cyber security action plan, the state of
New York can adequately and effectively prevent, respond to, and
recover from cyber attacks. Each of the units and teams established
pursuant to the cyber security action plan will maintain critical
roles in providing cyber security for the state. The defense unit and
response teams will be assigned the mission of using and developing
software, hardware and protocols to prevent unauthorized invasions,
hacking and attacks, and develop response activities, procedures, and
protocols to any such invasion or attack on any state computer network
or system. In addition, the mission of the response teams will be to
respond to and assist the targeted entity in the recovery from a cyber
attack. The education and prevention unit will help educate
governmental and non-governmental entities through instruction,
informational programs, and/or instructional or informational
material. This bill will significantly diminish current cyber
vulnerabilities within the state and effectively prepare entities
against cyber attacks.
PRIOR LEGISLATIVE HISTORY :
New Bill.
FISCAL IMPLICATIONS :
To be determined.
EFFECTIVE DATE :
This act shall take effect immediately.

S T A T E O F N E W Y O R K
________________________________________________________________________
5946
2017-2018 Regular Sessions
I N S E N A T E
May 8, 2017
___________
Introduced by Sen. CROCI -- read twice and ordered printed, and when
printed to be committed to the Committee on Veterans, Homeland Securi-
ty and Military Affairs
AN ACT to amend the executive law, in relation to a cyber security
action plan
THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
BLY, DO ENACT AS FOLLOWS:
Section 1. The executive law is amended by adding a new section 719
to read as follows:
S 719. CYBER SECURITY. 1. CYBER SECURITY ACTION PLAN. THE COMMISSION-
ER, IN CONSULTATION WITH THE CHIEF INFORMATION OFFICER OF THE OFFICE OF
INFORMATION TECHNOLOGY, THE SUPERINTENDENT OF STATE POLICE, THE COMMIS-
SIONER OF GENERAL SERVICES, THE SUPERINTENDENT OF FINANCIAL SERVICES,
THE OFFICE OF THE STATE COMPTROLLER, AND SUCH OTHER EXPERTS FROM THE
PUBLIC, PRIVATE AND NOT-FOR-PROFIT SECTORS WHO MAINTAIN EXPERIENCE AND
KNOWLEDGE IN THE AREA OF CYBER SECURITY AS THE COMMISSIONER DEEMS
PRUDENT, SHALL DEVELOP A CYBER SECURITY ACTION PLAN FOR NEW YORK STATE.
THE PLAN SHALL MAKE RECOMMENDATIONS TO THE GOVERNOR AND THE LEGISLATURE
REGARDING THE ESTABLISHMENT OF A NEW STATE OFFICE OF CYBER SECURITY,
UNDER THE COMMAND AND CONTROL OF THE COMMISSIONER AND WITHIN THE DIVI-
SION, INCLUDING IDENTIFYING SUCH BUREAUS, RESPONSIBILITIES AND DUTIES
THAT SHOULD BE CONTAINED AND PERFORMED WITHIN SUCH OFFICE, THE BUDGET
AND PERSONNEL NECESSARY TO ESTABLISH SUCH OFFICE, AND THE SITE LOCATIONS
AT WHICH SUCH OFFICE SHOULD BE SITUATED. THE PURPOSE OF THE PLAN SHALL
BE TO DEVELOP A COMPREHENSIVE AND EFFECTIVE STRATEGY TO PROVIDE MEANING-
FUL CYBER SECURITY FOR THE STATE OF NEW YORK, ITS STATE AGENCIES, ITS
PUBLIC AUTHORITIES, ITS ASSETS, ITS INFRASTRUCTURE, ITS LOCAL GOVERN-
MENTS, AND ITS PRIVATE SECTOR BUSINESSES, NOT-FOR-PROFIT CORPORATIONS
AND INDIVIDUALS.
2. CYBER SECURITY DEFENSE UNIT. THE CYBER SECURITY ACTION PLAN ESTAB-
LISHED PURSUANT TO SUBDIVISION ONE OF THIS SECTION SHALL FURTHER MAKE
EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
[ ] is old law to be omitted.
LBD11004-01-7

S. 5946 2
RECOMMENDATIONS TO THE GOVERNOR AND THE LEGISLATURE ON THE ESTABLISH-
MENT, WITHIN THE OFFICE OF CYBER SECURITY, OF A CYBER SECURITY DEFENSE
UNIT. THE CYBER SECURITY ACTION PLAN SHALL DETAIL HOW THE CYBER SECURITY
DEFENSE UNIT, WOULD CONSIST OF SUCH PERSONS AS THE COMMISSIONER DEEMS
NECESSARY TO PERFORM ITS MISSION. THE CYBER SECURITY ACTION PLAN SHALL
FURTHER DETAIL THE MISSION OF THE CYBER SECURITY DEFENSE UNIT, WITH SUCH
MISSION BEING TO HELP PREVENT, RESPOND TO, AND RECOVER FROM CYBER
ATTACKS TARGETED AGAINST THE STATE, ITS ASSETS, AND ITS INFRASTRUCTURE,
TOGETHER WITH SUCH OTHER AND FURTHER DUTIES AND RESPONSIBILITIES AS THE
CYBER SECURITY ACTION PLAN MAY ADDITIONALLY PRESCRIBE. THE CYBER SECU-
RITY ACTION PLAN SHALL FURTHER DETAIL THAT THE PERSONNEL OF THE CYBER
SECURITY DEFENSE UNIT MUST BE EXPERT IN COMPUTER AND PROGRAMMING TECH-
NOLOGY SO AS TO PREVENT AND RESPOND TO UNAUTHORIZED INVASION, HACKING
AND ATTACKS AGAINST COMPUTER NETWORKS, SYSTEMS, DATABASES, AND INFORMA-
TION STORAGE. THE CYBER SECURITY ACTION PLAN SHALL FURTHER DETAIL HOW
THE PERSONNEL OF THE CYBER SECURITY DEFENSE UNIT MUST HAVE BACKGROUND
AND EXPERIENCE IN COMPUTER, SYSTEM AND NETWORK OPERATIONS AND VULNER-
ABILITIES, PROGRAMMING CODE, DATA RECOVERY AND CYBER SECURITY. THE
CYBER SECURITY ACTION PLAN SHALL ALSO PROVIDE THAT, IN ADDITION TO ANY
OTHER TASKS THE COMMISSIONER MAY WISH TO ASSIGN THE CYBER SECURITY
DEFENSE UNIT, THAT SUCH CYBER SECURITY DEFENSE UNIT SHALL ALSO BE
ASSIGNED THE MISSION OF USING AND DEVELOPING SOFTWARE, HARDWARE, AND
PROTOCOLS TO PREVENT SUCH UNAUTHORIZED INVASIONS, HACKING AND ATTACKS,
AND TO DEVELOP RESPONSE ACTIVITIES, PROCEDURES, AND PROTOCOLS TO ADDRESS
ANY SUCH INVASION, HACKING OR ATTACK ON ANY STATE COMPUTER NETWORK,
SYSTEM, DATABASE, AND/OR INFORMATION STORAGE. THE CYBER SECURITY ACTION
PLAN SHALL FURTHER DETAIL HOW THE CYBER SECURITY DEFENSE UNIT SHOULD
INTERACT AND DEPLOY THE USE OF OTHER CYBER EXPERTS, EDUCATORS, LAW
ENFORCEMENT, INTELLIGENCE EXPERTS, AND OTHER PUBLIC AND PRIVATE SECTOR
ENTITIES TO ASSIST IT IN THE PERFORMANCE OF ITS MISSION.
3. CYBER INCIDENT RESPONSE TEAMS. THE CYBER SECURITY ACTION PLAN
ESTABLISHED PURSUANT TO SUBDIVISION ONE OF THIS SECTION SHALL FURTHER
MAKE RECOMMENDATIONS TO THE GOVERNOR AND THE LEGISLATURE ON THE ESTAB-
LISHMENT, WITHIN THE OFFICE OF CYBER SECURITY, OF A GROUP OF CYBER INCI-
DENT RESPONSE TEAMS. THE CYBER SECURITY ACTION PLAN SHALL DETAIL HOW THE
CYBER INCIDENT RESPONSE TEAMS WOULD CONSIST OF SUCH PERSONS AS THE
COMMISSIONER DEEMS NECESSARY TO PERFORM ITS MISSION. THE CYBER SECURITY
ACTION PLAN SHALL FURTHER DETAIL THE MISSION OF THE CYBER INCIDENT
RESPONSE TEAMS, WITH SUCH MISSION BEING TO HELP PREVENT, RESPOND TO, AND
RECOVER FROM, CYBER ATTACKS TARGETED AGAINST STATE ENTITIES, PUBLIC
AUTHORITIES, LOCAL GOVERNMENTS, AND/OR PRIVATE SECTOR BUSINESSES,
NOT-FOR-PROFIT CORPORATIONS AND INDIVIDUALS, TOGETHER WITH SUCH OTHER
AND FURTHER DUTIES AND RESPONSIBILITIES AS THE CYBER SECURITY ACTION
PLAN MAY ADDITIONALLY PRESCRIBE. THE CYBER SECURITY ACTION PLAN SHALL
FURTHER DETAIL THAT THE PERSONNEL OF THE CYBER INCIDENT RESPONSE TEAMS
MUST BE EXPERT IN COMPUTER AND PROGRAMMING TECHNOLOGY SO AS TO PREVENT
AND RESPOND TO AN UNAUTHORIZED INVASION, HACKING AND ATTACKS AGAINST
COMPUTER NETWORKS, SYSTEMS, DATABASES, AND INFORMATION STORAGE. THE
CYBER SECURITY ACTION PLAN SHALL ADDITIONALLY DETAIL HOW THE PERSONNEL
OF THE CYBER INCIDENT RESPONSE TEAMS MUST HAVE BACKGROUND AND EXPERIENCE
IN COMPUTER, SYSTEM AND NETWORK OPERATIONS AND VULNERABILITIES, PROGRAM-
MING CODE, DATA RECOVERY AND CYBER SECURITY. THE CYBER SECURITY ACTION
PLAN SHALL ALSO PROVIDE, IN ADDITION TO ANY OTHER TASKS THE COMMISSIONER
MAY WISH TO ASSIGN THE CYBER INCIDENT RESPONSE TEAMS, THAT SUCH CYBER
INCIDENT RESPONSE TEAMS SHALL ALSO BE ASSIGNED THE MISSION OF USING AND
DEVELOPING SOFTWARE, HARDWARE, AND PROTOCOLS TO PREVENT SUCH UNAUTHOR-
S. 5946 3
IZED INVASIONS, HACKING AND ATTACKS, AND TO DEVELOP RESPONSE ACTIVITIES,
PROCEDURES, AND PROTOCOLS TO ADDRESS ANY SUCH INVASION, HACKING OR
ATTACK ON ANY STATE COMPUTER NETWORK, SYSTEM, DATABASE, AND/OR INFORMA-
TION STORAGE. THE CYBER SECURITY ACTION PLAN SHALL ALSO PROVIDE THAT IT
WOULD FURTHER BE THE MISSION OF EACH CYBER INCIDENT RESPONSE TEAM TO
RESPOND TO, AND HELP THE TARGETED ENTITY TO RECOVER FROM, CYBER INVA-
SION, HACKING AND ATTACKS. THE CYBER SECURITY ACTION PLAN SHALL ALSO
PROVIDE THAT WITHIN RESOURCES AVAILABLE, THE COMMISSIONER MAY DEPLOY A
CYBER INCIDENT RESPONSE TEAM TO A STATE ENTITY, PUBLIC AUTHORITY, LOCAL
GOVERNMENT, PRIVATE SECTOR BUSINESS, OR NOT-FOR-PROFIT CORPORATION THAT
HAS EXPERIENCED A CYBER ATTACK, TO PROMOTE AND ASSIST IN SUCH ENTITY'S
RESPONSE AND RECOVERY EFFORTS. THE CYBER SECURITY ACTION PLAN SHALL
FURTHER DETAIL HOW THE CYBER INCIDENT RESPONSE TEAM SHOULD INTERACT AND
DEPLOY THE USE OF OTHER CYBER EXPERTS, EDUCATORS, LAW ENFORCEMENT,
INTELLIGENCE EXPERTS, AND OTHER PUBLIC AND PRIVATE SECTOR ENTITIES TO
ASSIST THEM IN THE PERFORMANCE OF THEIR MISSION.
4. CYBER EDUCATION AND ATTACK PREVENTION. THE CYBER SECURITY ACTION
PLAN ESTABLISHED PURSUANT TO SUBDIVISION ONE OF THIS SECTION SHALL
FURTHER MAKE RECOMMENDATIONS TO THE GOVERNOR AND THE LEGISLATURE ON THE
ESTABLISHMENT, WITHIN THE OFFICE OF CYBER SECURITY, OF A CYBER EDUCATION
AND ATTACK PREVENTION UNIT TO ASSIST STATE AGENCIES, PUBLIC AUTHORITIES,
LOCAL GOVERNMENTS, AND/OR PRIVATE SECTOR BUSINESSES, NOT-FOR-PROFIT
CORPORATIONS AND INDIVIDUALS. THE CYBER SECURITY ACTION PLAN SHALL
DETAIL HOW THE CYBER EDUCATION AND ATTACK PREVENTION UNIT WOULD CONSIST
OF SUCH PERSONS AS THE COMMISSIONER DEEMS NECESSARY TO PERFORM ITS
MISSION. THE CYBER SECURITY ACTION PLAN SHALL FURTHER DETAIL THE MISSION
OF THE CYBER EDUCATION AND ATTACK PREVENTION UNIT, WITH SUCH MISSION
BEING TO HELP EDUCATE STATE AGENCIES, PUBLIC AUTHORITIES, LOCAL GOVERN-
MENTS, AND/OR PRIVATE SECTOR BUSINESSES, NOT-FOR-PROFIT CORPORATIONS AND
INDIVIDUALS ON HOW TO PREVENT AND RESPOND TO A CYBER ATTACK, TOGETHER
WITH SUCH OTHER AND FURTHER DUTIES AND RESPONSIBILITIES AS THE CYBER
SECURITY ACTION PLAN MAY ADDITIONALLY PRESCRIBE. THE CYBER SECURITY
ACTION PLAN SHALL FURTHER DETAIL THAT THE COMMISSIONER MAY DEPLOY WITHIN
RESOURCES AVAILABLE THE CYBER EDUCATION AND ATTACK PREVENTION UNIT TO
STATE AGENCIES, PUBLIC AUTHORITIES, LOCAL GOVERNMENTS, PRIVATE SECTOR
BUSINESSES, AND/OR NOT-FOR-PROFIT CORPORATIONS, TO EDUCATE AND/OR
INSTRUCT SUCH ENTITIES, HOLD INFORMATIONAL PROGRAMS, AND/OR PROVIDE
INSTRUCTIONAL OR INFORMATIONAL MATERIALS. THE CYBER SECURITY ACTION PLAN
SHALL FURTHER DETAIL HOW THE CYBER EDUCATION AND ATTACK PREVENTION UNIT
SHOULD INTERACT AND DEPLOY THE USE OF OTHER CYBER EXPERTS, EDUCATORS,
LAW ENFORCEMENT, INTELLIGENCE EXPERTS, AND OTHER PUBLIC AND PRIVATE
SECTOR ENTITIES TO ASSIST IT IN THE PERFORMANCE OF ITS MISSION.
5. REPORTING OF CYBER ENTITIES. THE CYBER SECURITY ACTION PLAN ESTAB-
LISHED PURSUANT TO SUBDIVISION ONE OF THIS SECTION SHALL FURTHER MAKE
RECOMMENDATIONS ON THE REPORTING OF THE NEW STATE OFFICE OF CYBER SECU-
RITY. THE CYBER SECURITY ACTION PLAN SHALL FURTHER REQUIRE THAT SUCH
REPORTING SHOULD CONTAIN A REQUIREMENT THAT ON OR BEFORE DECEMBER FIRST,
TWO THOUSAND EIGHTEEN, AND THEN EVERY YEAR THEREAFTER, THAT THE COMMIS-
SIONER SHALL SUBMIT A REPORT TO THE GOVERNOR, THE SPEAKER OF THE ASSEM-
BLY, THE TEMPORARY PRESIDENT OF THE SENATE, THE CHAIR OF THE SENATE
STANDING COMMITTEE ON VETERANS, HOMELAND SECURITY AND MILITARY AFFAIRS,
AND THE CHAIR OF THE ASSEMBLY STANDING COMMITTEE ON GOVERNMENTAL OPER-
ATIONS, WHICH PROVIDES A COMPREHENSIVE REVIEW DETAILING ALL THE ACTIV-
ITIES AND OPERATIONS OF THE OFFICE OF CYBER SECURITY, THE CYBER SECURITY
DEFENSE UNIT, THE CYBER INCIDENT RESPONSE TEAMS AND THE CYBER EDUCATION
AND ATTACK PREVENTION UNIT, DURING THE PAST YEAR. THE CYBER SECURITY
S. 5946 4
ACTION PLAN SHALL FURTHER PROVIDE THAT WHERE COMPLIANCE WITH SUCH A
REPORT WOULD REQUIRE THE DISCLOSURE OF CONFIDENTIAL INFORMATION, OR THE
DISCLOSURE OF SENSITIVE INFORMATION WHICH IN THE JUDGEMENT OF THE
COMMISSIONER WOULD JEOPARDIZE THE CYBER SECURITY OF THE STATE, THEN SUCH
CONFIDENTIAL OR SENSITIVE INFORMATION SHALL BE PROVIDED TO THE PERSONS
ENTITLED TO RECEIVE THE REPORT, IN THE FORM OF A SUPPLEMENTAL APPENDIX
TO THE REPORT, AND THAT SUCH SUPPLEMENTAL APPENDIX TO THE REPORT, SHALL
NOT BE SUBJECT TO THE PROVISIONS OF THE FREEDOM OF INFORMATION LAW
PURSUANT TO ARTICLE SIX OF THE PUBLIC OFFICERS LAW, AND ALTHOUGH THE
PERSONS ENTITLED TO RECEIVE THE REPORT MAY DISCLOSE THE SUPPLEMENTAL
APPENDIX TO THE REPORT TO THEIR PROFESSIONAL STAFF, THEY SHALL NOT
OTHERWISE PUBLICLY DISCLOSE SUCH CONFIDENTIAL OR SECURE INFORMATION. THE
CYBER SECURITY ACTION PLAN SHALL FURTHER PROVIDE THAT, EXCEPT WITH THE
RESPECT TO ANY CONFIDENTIAL OR SENSITIVE INFORMATION CONTAINED IN THE
SUPPLEMENTAL APPENDIX TO THE REPORT, THE COMMISSIONER SHALL DIRECT THAT
A COPY OF THE REPORT SHALL BE POSTED ON THE DIVISION'S WEBSITE, NOT MORE
THAN FIFTEEN DAYS AFTER SUCH REPORT IS DELIVERED TO THE PERSONS ENTITLED
TO RECEIVE SUCH REPORT. THE CYBER SECURITY ACTION PLAN SHOULD FURTHER
PROVIDE THAT THE DIVISION MAY FURTHER POST ANY AND ALL ADDITIONAL INFOR-
MATION IT MAY DEEM APPROPRIATE, ON ITS WEBSITE, REGARDING CYBER SECURI-
TY, AND THE PROTECTION OF PUBLIC AND PRIVATE COMPUTER SYSTEMS, NETWORKS,
HARDWARE AND SOFTWARE.
6. REIMBURSEMENT FOR COST OF SERVICE. THE CYBER SECURITY ACTION PLAN
ESTABLISHED PURSUANT TO SUBDIVISION ONE OF THIS SECTION SHALL FURTHER
MAKE RECOMMENDATIONS WITH RESPECT TO THE DIVISION CHARGING NON-GOVERN-
MENTAL ENTITIES FOR THE REASONABLE COST OF THE SERVICES PROVIDED BY THE
CYBER SECURITY INCIDENT RESPONSE TEAMS AND THE CYBER EDUCATION AND
ATTACK PREVENTION UNIT. THE CYBER SECURITY ACTION PLAN SHALL FURTHER
DETAIL HOW THE PROCEEDS FROM THE CHARGING FOR SUCH COSTS SHALL BE DEPOS-
ITED WITH THE STATE COMPTROLLER INTO A CYBER SECURITY SUPPORT SERVICES
ACCOUNT, OF WHICH THE COMPTROLLER WOULD HAVE CUSTODY. THE CYBER SECURITY
ACTION PLAN SHALL ADDITIONALLY DETAIL HOW THE COMPTROLLER MAY DISBURSE
MONIES HELD IN SUCH CYBER SECURITY ACCOUNT FOR THE PURPOSES OF PROVIDING
SUPPLEMENTAL FUNDS FOR THE OPERATION OF THE NEW STATE OFFICE OF CYBER
SECURITY.
7. TIMING OF CYBER SECURITY ACTION PLAN. THE COMMISSIONER, ON OR
BEFORE DECEMBER FIRST, TWO THOUSAND SEVENTEEN, SHALL DELIVER A COPY OF
THE CYBER SECURITY ACTION PLAN REQUIRED TO BE PRODUCED BY THIS SECTION,
TO THE THE GOVERNOR, THE SPEAKER OF THE ASSEMBLY, THE TEMPORARY PRESI-
DENT OF THE SENATE, THE CHAIR OF THE SENATE STANDING COMMITTEE ON VETER-
ANS, HOMELAND SECURITY AND MILITARY AFFAIRS, AND THE CHAIR OF THE ASSEM-
BLY STANDING COMMITTEE ON GOVERNMENTAL OPERATIONS.
S 2. This act shall take effect immediately.

Co-Sponsors

S5946A (ACTIVE) - Details

S5946A (ACTIVE) - Summary

Directs the commissioner of the division of homeland security and emergency services to work with other experts who maintain experience and knowledge in the area of cyber security to develop a cyber security action plan for New York state.

S5946A (ACTIVE) - Sponsor Memo

BILL NUMBER: S5946A
TITLE OF BILL :
An act to amend the executive law, in relation to a cyber security
action plan
PURPOSE :
To develop a cyber security action plan that will create a
comprehensive and effective strategy to provide meaningful cyber
security for New York, its state agencies, its public authorities, its
assets, its infrastructure, its local governments, its private sector
businesses, its not-for-profit corporations and individuals.
SUMMARY OF SPECIFIC PROVISIONS :
Section one amends the executive law by adding a new section 719,
requiring the development of a cyber security action plan, with
findings and recommendations to be reported to the Legislature and the
Governor.
The team comprising the cyber security action plan, will make
recommendations regarding the establishment of a new state office of
cyber security. They will also make recommendations to create, within
the new office of cyber security, a cyber security defense unit, cyber

incident response teams, and a cyber education and attack prevention
unit. This section also requires the state office to submit an annual
report and permits the division of homeland security and emergency
services to charge non-governmental entities for the reasonable cost
of services.
Section two is the effective date.
JUSTIFICATION :
According to such entities as the United States Department of Homeland
Security, Interpol and the New York State White Collar Crime Task
Force, cybercrime is a pervasive and rapidly expanding threat. New
York state is particularly at risk to cybercrime due to its status as
a global hub of international business and commerce. As, most major
national and international banks, insurance companies and brokerage
houses also have headquarters or a significant presence within the
state, such present a particularly attractive target to those who wish
to engage in cyber crime or cyber terrorism.
Through the development of a cyber security action plan, the state of
New York can adequately and effectively prevent, respond to, and
recover from cyber attacks. Each of the units and teams established
pursuant to the cyber security action plan will maintain critical
roles in providing cyber security for the state. The defense unit and
response teams will be assigned the mission of using and developing
software, hardware and protocols to prevent unauthorized invasions,
hacking and attacks, and develop response activities, procedures, and
protocols to any such invasion or attack on any state computer network
or system. In addition, the mission of the response teams will be to
respond to and assist the targeted entity in the recovery from a cyber
attack. The education and prevention unit will help educate
governmental and non-governmental entities through instruction,
informational programs, and/or instructional or informational
material. This bill will significantly diminish current cyber
vulnerabilities within the state and effectively prepare entities
against cyber attacks.
PRIOR LEGISLATIVE HISTORY :
New Bill.
FISCAL IMPLICATIONS :
To be determined.
EFFECTIVE DATE :
This act shall take effect immediately.

S T A T E O F N E W Y O R K
________________________________________________________________________
5946--A
2017-2018 Regular Sessions
I N S E N A T E
May 8, 2017
___________
Introduced by Sen. CROCI -- read twice and ordered printed, and when
printed to be committed to the Committee on Veterans, Homeland Securi-
ty and Military Affairs -- recommitted to the Committee on Veterans,
Homeland Security and Military Affairs in accordance with Senate Rule
6, sec. 8 -- committee discharged, bill amended, ordered reprinted as
amended and recommitted to said committee
AN ACT to amend the executive law, in relation to a cyber security
action plan
THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
BLY, DO ENACT AS FOLLOWS:
Section 1. The executive law is amended by adding a new section 719
to read as follows:
S 719. CYBER SECURITY. 1. CYBER SECURITY ACTION PLAN. THE COMMISSION-
ER, IN CONSULTATION WITH THE CHIEF INFORMATION OFFICER OF THE OFFICE OF
INFORMATION TECHNOLOGY, THE SUPERINTENDENT OF STATE POLICE, THE COMMIS-
SIONER OF GENERAL SERVICES, THE SUPERINTENDENT OF FINANCIAL SERVICES,
THE OFFICE OF THE STATE COMPTROLLER, AND SUCH OTHER EXPERTS FROM THE
PUBLIC, PRIVATE AND NOT-FOR-PROFIT SECTORS WHO MAINTAIN EXPERIENCE AND
KNOWLEDGE IN THE AREA OF CYBER SECURITY AS THE COMMISSIONER DEEMS
PRUDENT, SHALL DEVELOP A CYBER SECURITY ACTION PLAN FOR NEW YORK STATE.
THE PLAN SHALL MAKE RECOMMENDATIONS TO THE GOVERNOR AND THE LEGISLATURE
REGARDING THE ESTABLISHMENT OF A NEW STATE OFFICE OF CYBER SECURITY,
UNDER THE COMMAND AND CONTROL OF THE COMMISSIONER AND WITHIN THE DIVI-
SION, INCLUDING IDENTIFYING SUCH BUREAUS, RESPONSIBILITIES AND DUTIES
THAT SHOULD BE CONTAINED AND PERFORMED WITHIN SUCH OFFICE, THE BUDGET
AND PERSONNEL NECESSARY TO ESTABLISH SUCH OFFICE, AND THE SITE LOCATIONS
AT WHICH SUCH OFFICE SHOULD BE SITUATED. THE PURPOSE OF THE PLAN SHALL
BE TO DEVELOP A COMPREHENSIVE AND EFFECTIVE STRATEGY TO PROVIDE MEANING-
FUL CYBER SECURITY FOR THE STATE OF NEW YORK, ITS STATE AGENCIES, ITS
PUBLIC AUTHORITIES, ITS ASSETS, ITS INFRASTRUCTURE, ITS LOCAL GOVERN-
EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
[ ] is old law to be omitted.
LBD11004-02-8

S. 5946--A 2
MENTS, AND ITS PRIVATE SECTOR BUSINESSES, NOT-FOR-PROFIT CORPORATIONS
AND INDIVIDUALS.
2. CYBER SECURITY DEFENSE UNIT. THE CYBER SECURITY ACTION PLAN ESTAB-
LISHED PURSUANT TO SUBDIVISION ONE OF THIS SECTION SHALL FURTHER MAKE
RECOMMENDATIONS TO THE GOVERNOR AND THE LEGISLATURE ON THE ESTABLISH-
MENT, WITHIN THE OFFICE OF CYBER SECURITY, OF A CYBER SECURITY DEFENSE
UNIT. THE CYBER SECURITY ACTION PLAN SHALL DETAIL HOW THE CYBER SECURITY
DEFENSE UNIT, WOULD CONSIST OF SUCH PERSONS AS THE COMMISSIONER DEEMS
NECESSARY TO PERFORM ITS MISSION. THE CYBER SECURITY ACTION PLAN SHALL
FURTHER DETAIL THE MISSION OF THE CYBER SECURITY DEFENSE UNIT, WITH SUCH
MISSION BEING TO HELP PREVENT, RESPOND TO, AND RECOVER FROM CYBER
ATTACKS TARGETED AGAINST THE STATE, ITS ASSETS, AND ITS INFRASTRUCTURE,
TOGETHER WITH SUCH OTHER AND FURTHER DUTIES AND RESPONSIBILITIES AS THE
CYBER SECURITY ACTION PLAN MAY ADDITIONALLY PRESCRIBE. THE CYBER SECU-
RITY ACTION PLAN SHALL FURTHER DETAIL THAT THE PERSONNEL OF THE CYBER
SECURITY DEFENSE UNIT MUST BE EXPERT IN COMPUTER AND PROGRAMMING TECH-
NOLOGY SO AS TO PREVENT AND RESPOND TO UNAUTHORIZED INVASION, HACKING
AND ATTACKS AGAINST COMPUTER NETWORKS, SYSTEMS, DATABASES, AND INFORMA-
TION STORAGE. THE CYBER SECURITY ACTION PLAN SHALL FURTHER DETAIL HOW
THE PERSONNEL OF THE CYBER SECURITY DEFENSE UNIT MUST HAVE BACKGROUND
AND EXPERIENCE IN COMPUTER, SYSTEM AND NETWORK OPERATIONS AND VULNER-
ABILITIES, PROGRAMMING CODE, DATA RECOVERY AND CYBER SECURITY. THE
CYBER SECURITY ACTION PLAN SHALL ALSO PROVIDE THAT, IN ADDITION TO ANY
OTHER TASKS THE COMMISSIONER MAY WISH TO ASSIGN THE CYBER SECURITY
DEFENSE UNIT, THAT SUCH CYBER SECURITY DEFENSE UNIT SHALL ALSO BE
ASSIGNED THE MISSION OF USING AND DEVELOPING SOFTWARE, HARDWARE, AND
PROTOCOLS TO PREVENT SUCH UNAUTHORIZED INVASIONS, HACKING AND ATTACKS,
AND TO DEVELOP RESPONSE ACTIVITIES, PROCEDURES, AND PROTOCOLS TO ADDRESS
ANY SUCH INVASION, HACKING OR ATTACK ON ANY STATE COMPUTER NETWORK,
SYSTEM, DATABASE, AND/OR INFORMATION STORAGE. THE CYBER SECURITY ACTION
PLAN SHALL FURTHER DETAIL HOW THE CYBER SECURITY DEFENSE UNIT SHOULD
INTERACT AND DEPLOY THE USE OF OTHER CYBER EXPERTS, EDUCATORS, LAW
ENFORCEMENT, INTELLIGENCE EXPERTS, AND OTHER PUBLIC AND PRIVATE SECTOR
ENTITIES TO ASSIST IT IN THE PERFORMANCE OF ITS MISSION.
3. CYBER INCIDENT RESPONSE TEAMS. THE CYBER SECURITY ACTION PLAN
ESTABLISHED PURSUANT TO SUBDIVISION ONE OF THIS SECTION SHALL FURTHER
MAKE RECOMMENDATIONS TO THE GOVERNOR AND THE LEGISLATURE ON THE ESTAB-
LISHMENT, WITHIN THE OFFICE OF CYBER SECURITY, OF A GROUP OF CYBER INCI-
DENT RESPONSE TEAMS. THE CYBER SECURITY ACTION PLAN SHALL DETAIL HOW THE
CYBER INCIDENT RESPONSE TEAMS WOULD CONSIST OF SUCH PERSONS AS THE
COMMISSIONER DEEMS NECESSARY TO PERFORM ITS MISSION. THE CYBER SECURITY
ACTION PLAN SHALL FURTHER DETAIL THE MISSION OF THE CYBER INCIDENT
RESPONSE TEAMS, WITH SUCH MISSION BEING TO HELP PREVENT, RESPOND TO, AND
RECOVER FROM, CYBER ATTACKS TARGETED AGAINST STATE ENTITIES, PUBLIC
AUTHORITIES, LOCAL GOVERNMENTS, AND/OR PRIVATE SECTOR BUSINESSES,
NOT-FOR-PROFIT CORPORATIONS AND INDIVIDUALS, TOGETHER WITH SUCH OTHER
AND FURTHER DUTIES AND RESPONSIBILITIES AS THE CYBER SECURITY ACTION
PLAN MAY ADDITIONALLY PRESCRIBE. THE CYBER SECURITY ACTION PLAN SHALL
FURTHER DETAIL THAT THE PERSONNEL OF THE CYBER INCIDENT RESPONSE TEAMS
MUST BE EXPERT IN COMPUTER AND PROGRAMMING TECHNOLOGY SO AS TO PREVENT
AND RESPOND TO AN UNAUTHORIZED INVASION, HACKING AND ATTACKS AGAINST
COMPUTER NETWORKS, SYSTEMS, DATABASES, AND INFORMATION STORAGE. THE
CYBER SECURITY ACTION PLAN SHALL ADDITIONALLY DETAIL HOW THE PERSONNEL
OF THE CYBER INCIDENT RESPONSE TEAMS MUST HAVE BACKGROUND AND EXPERIENCE
IN COMPUTER, SYSTEM AND NETWORK OPERATIONS AND VULNERABILITIES, PROGRAM-
MING CODE, DATA RECOVERY AND CYBER SECURITY. THE CYBER SECURITY ACTION
S. 5946--A 3
PLAN SHALL ALSO PROVIDE, IN ADDITION TO ANY OTHER TASKS THE COMMISSIONER
MAY WISH TO ASSIGN THE CYBER INCIDENT RESPONSE TEAMS, THAT SUCH CYBER
INCIDENT RESPONSE TEAMS SHALL ALSO BE ASSIGNED THE MISSION OF USING AND
DEVELOPING SOFTWARE, HARDWARE, AND PROTOCOLS TO PREVENT SUCH UNAUTHOR-
IZED INVASIONS, HACKING AND ATTACKS, AND TO DEVELOP RESPONSE ACTIVITIES,
PROCEDURES, AND PROTOCOLS TO ADDRESS ANY SUCH INVASION, HACKING OR
ATTACK ON ANY STATE COMPUTER NETWORK, SYSTEM, DATABASE, AND/OR INFORMA-
TION STORAGE. THE CYBER SECURITY ACTION PLAN SHALL ALSO PROVIDE THAT IT
WOULD FURTHER BE THE MISSION OF EACH CYBER INCIDENT RESPONSE TEAM TO
RESPOND TO, AND HELP THE TARGETED ENTITY TO RECOVER FROM, CYBER INVA-
SION, HACKING AND ATTACKS. THE CYBER SECURITY ACTION PLAN SHALL ALSO
PROVIDE THAT WITHIN RESOURCES AVAILABLE, THE COMMISSIONER MAY DEPLOY A
CYBER INCIDENT RESPONSE TEAM TO A STATE ENTITY, PUBLIC AUTHORITY, LOCAL
GOVERNMENT, PRIVATE SECTOR BUSINESS, OR NOT-FOR-PROFIT CORPORATION THAT
HAS EXPERIENCED A CYBER ATTACK, TO PROMOTE AND ASSIST IN SUCH ENTITY'S
RESPONSE AND RECOVERY EFFORTS. THE CYBER SECURITY ACTION PLAN SHALL
FURTHER DETAIL HOW THE CYBER INCIDENT RESPONSE TEAM SHOULD INTERACT AND
DEPLOY THE USE OF OTHER CYBER EXPERTS, EDUCATORS, LAW ENFORCEMENT,
INTELLIGENCE EXPERTS, AND OTHER PUBLIC AND PRIVATE SECTOR ENTITIES TO
ASSIST THEM IN THE PERFORMANCE OF THEIR MISSION.
4. CYBER EDUCATION AND ATTACK PREVENTION. THE CYBER SECURITY ACTION
PLAN ESTABLISHED PURSUANT TO SUBDIVISION ONE OF THIS SECTION SHALL
FURTHER MAKE RECOMMENDATIONS TO THE GOVERNOR AND THE LEGISLATURE ON THE
ESTABLISHMENT, WITHIN THE OFFICE OF CYBER SECURITY, OF A CYBER EDUCATION
AND ATTACK PREVENTION UNIT TO ASSIST STATE AGENCIES, PUBLIC AUTHORITIES,
LOCAL GOVERNMENTS, AND/OR PRIVATE SECTOR BUSINESSES, NOT-FOR-PROFIT
CORPORATIONS AND INDIVIDUALS. THE CYBER SECURITY ACTION PLAN SHALL
DETAIL HOW THE CYBER EDUCATION AND ATTACK PREVENTION UNIT WOULD CONSIST
OF SUCH PERSONS AS THE COMMISSIONER DEEMS NECESSARY TO PERFORM ITS
MISSION. THE CYBER SECURITY ACTION PLAN SHALL FURTHER DETAIL THE MISSION
OF THE CYBER EDUCATION AND ATTACK PREVENTION UNIT, WITH SUCH MISSION
BEING TO HELP EDUCATE STATE AGENCIES, PUBLIC AUTHORITIES, LOCAL GOVERN-
MENTS, AND/OR PRIVATE SECTOR BUSINESSES, NOT-FOR-PROFIT CORPORATIONS AND
INDIVIDUALS ON HOW TO PREVENT AND RESPOND TO A CYBER ATTACK, TOGETHER
WITH SUCH OTHER AND FURTHER DUTIES AND RESPONSIBILITIES AS THE CYBER
SECURITY ACTION PLAN MAY ADDITIONALLY PRESCRIBE. THE CYBER SECURITY
ACTION PLAN SHALL FURTHER DETAIL THAT THE COMMISSIONER MAY DEPLOY WITHIN
RESOURCES AVAILABLE THE CYBER EDUCATION AND ATTACK PREVENTION UNIT TO
STATE AGENCIES, PUBLIC AUTHORITIES, LOCAL GOVERNMENTS, PRIVATE SECTOR
BUSINESSES, AND/OR NOT-FOR-PROFIT CORPORATIONS, TO EDUCATE AND/OR
INSTRUCT SUCH ENTITIES, HOLD INFORMATIONAL PROGRAMS, AND/OR PROVIDE
INSTRUCTIONAL OR INFORMATIONAL MATERIALS. THE CYBER SECURITY ACTION PLAN
SHALL FURTHER DETAIL HOW THE CYBER EDUCATION AND ATTACK PREVENTION UNIT
SHOULD INTERACT AND DEPLOY THE USE OF OTHER CYBER EXPERTS, EDUCATORS,
LAW ENFORCEMENT, INTELLIGENCE EXPERTS, AND OTHER PUBLIC AND PRIVATE
SECTOR ENTITIES TO ASSIST IT IN THE PERFORMANCE OF ITS MISSION.
5. REPORTING OF CYBER ENTITIES. THE CYBER SECURITY ACTION PLAN ESTAB-
LISHED PURSUANT TO SUBDIVISION ONE OF THIS SECTION SHALL FURTHER MAKE
RECOMMENDATIONS ON THE REPORTING OF THE NEW STATE OFFICE OF CYBER SECU-
RITY. THE CYBER SECURITY ACTION PLAN SHALL FURTHER REQUIRE THAT SUCH
REPORTING SHOULD CONTAIN A REQUIREMENT THAT ON OR BEFORE DECEMBER FIRST,
TWO THOUSAND NINETEEN, AND THEN EVERY YEAR THEREAFTER, THAT THE COMMIS-
SIONER SHALL SUBMIT A REPORT TO THE GOVERNOR, THE SPEAKER OF THE ASSEM-
BLY, THE TEMPORARY PRESIDENT OF THE SENATE, THE CHAIR OF THE SENATE
STANDING COMMITTEE ON VETERANS, HOMELAND SECURITY AND MILITARY AFFAIRS,
AND THE CHAIR OF THE ASSEMBLY STANDING COMMITTEE ON GOVERNMENTAL OPER-
S. 5946--A 4
ATIONS, WHICH PROVIDES A COMPREHENSIVE REVIEW DETAILING ALL THE ACTIV-
ITIES AND OPERATIONS OF THE OFFICE OF CYBER SECURITY, THE CYBER SECURITY
DEFENSE UNIT, THE CYBER INCIDENT RESPONSE TEAMS AND THE CYBER EDUCATION
AND ATTACK PREVENTION UNIT, DURING THE PAST YEAR. THE CYBER SECURITY
ACTION PLAN SHALL FURTHER PROVIDE THAT WHERE COMPLIANCE WITH SUCH A
REPORT WOULD REQUIRE THE DISCLOSURE OF CONFIDENTIAL INFORMATION, OR THE
DISCLOSURE OF SENSITIVE INFORMATION WHICH IN THE JUDGEMENT OF THE
COMMISSIONER WOULD JEOPARDIZE THE CYBER SECURITY OF THE STATE, THEN SUCH
CONFIDENTIAL OR SENSITIVE INFORMATION SHALL BE PROVIDED TO THE PERSONS
ENTITLED TO RECEIVE THE REPORT, IN THE FORM OF A SUPPLEMENTAL APPENDIX
TO THE REPORT, AND THAT SUCH SUPPLEMENTAL APPENDIX TO THE REPORT, SHALL
NOT BE SUBJECT TO THE PROVISIONS OF THE FREEDOM OF INFORMATION LAW
PURSUANT TO ARTICLE SIX OF THE PUBLIC OFFICERS LAW, AND ALTHOUGH THE
PERSONS ENTITLED TO RECEIVE THE REPORT MAY DISCLOSE THE SUPPLEMENTAL
APPENDIX TO THE REPORT TO THEIR PROFESSIONAL STAFF, THEY SHALL NOT
OTHERWISE PUBLICLY DISCLOSE SUCH CONFIDENTIAL OR SECURE INFORMATION. THE
CYBER SECURITY ACTION PLAN SHALL FURTHER PROVIDE THAT, EXCEPT WITH THE
RESPECT TO ANY CONFIDENTIAL OR SENSITIVE INFORMATION CONTAINED IN THE
SUPPLEMENTAL APPENDIX TO THE REPORT, THE COMMISSIONER SHALL DIRECT THAT
A COPY OF THE REPORT SHALL BE POSTED ON THE DIVISION'S WEBSITE, NOT MORE
THAN FIFTEEN DAYS AFTER SUCH REPORT IS DELIVERED TO THE PERSONS ENTITLED
TO RECEIVE SUCH REPORT. THE CYBER SECURITY ACTION PLAN SHOULD FURTHER
PROVIDE THAT THE DIVISION MAY FURTHER POST ANY AND ALL ADDITIONAL INFOR-
MATION IT MAY DEEM APPROPRIATE, ON ITS WEBSITE, REGARDING CYBER SECURI-
TY, AND THE PROTECTION OF PUBLIC AND PRIVATE COMPUTER SYSTEMS, NETWORKS,
HARDWARE AND SOFTWARE.
6. REIMBURSEMENT FOR COST OF SERVICE. THE CYBER SECURITY ACTION PLAN
ESTABLISHED PURSUANT TO SUBDIVISION ONE OF THIS SECTION SHALL FURTHER
MAKE RECOMMENDATIONS WITH RESPECT TO THE DIVISION CHARGING NON-GOVERN-
MENTAL ENTITIES FOR THE REASONABLE COST OF THE SERVICES PROVIDED BY THE
CYBER SECURITY INCIDENT RESPONSE TEAMS AND THE CYBER EDUCATION AND
ATTACK PREVENTION UNIT. THE CYBER SECURITY ACTION PLAN SHALL FURTHER
DETAIL HOW THE PROCEEDS FROM THE CHARGING FOR SUCH COSTS SHALL BE DEPOS-
ITED WITH THE STATE COMPTROLLER INTO A CYBER SECURITY SUPPORT SERVICES
ACCOUNT, OF WHICH THE COMPTROLLER WOULD HAVE CUSTODY. THE CYBER SECURITY
ACTION PLAN SHALL ADDITIONALLY DETAIL HOW THE COMPTROLLER MAY DISBURSE
MONIES HELD IN SUCH CYBER SECURITY ACCOUNT FOR THE PURPOSES OF PROVIDING
SUPPLEMENTAL FUNDS FOR THE OPERATION OF THE NEW STATE OFFICE OF CYBER
SECURITY.
7. TIMING OF CYBER SECURITY ACTION PLAN. THE COMMISSIONER, ON OR
BEFORE DECEMBER FIRST, TWO THOUSAND EIGHTEEN, SHALL DELIVER A COPY OF
THE CYBER SECURITY ACTION PLAN REQUIRED TO BE PRODUCED BY THIS SECTION,
TO THE THE GOVERNOR, THE SPEAKER OF THE ASSEMBLY, THE TEMPORARY PRESI-
DENT OF THE SENATE, THE CHAIR OF THE SENATE STANDING COMMITTEE ON VETER-
ANS, HOMELAND SECURITY AND MILITARY AFFAIRS, AND THE CHAIR OF THE ASSEM-
BLY STANDING COMMITTEE ON GOVERNMENTAL OPERATIONS.
S 2. This act shall take effect immediately.

Comments

Open Legislation comments facilitate discussion of New York State legislation. All comments are subject to moderation. Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity or hate speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Comment moderation is generally performed Monday through Friday.

By contributing or voting you agree to the Terms of Participation and verify you are over 13.